Privacy Roundup #0158 • September 2019
September 2019 stacked leaky databases, a record children's privacy fine and two landmark EU and US court rulings into one of the busiest privacy months of the year.
1. Aliznet leak exposes data on 2.5 million Yves Rocher customers
Researchers at vpnMentor found an unsecured Elasticsearch database run by the consultancy Aliznet that held names, phone numbers, email addresses and dates of birth for 2.5 million Canadian Yves Rocher customers. The same server exposed six million orders and an internal staff application that an attacker could have logged into.
→ www.infosecurity-magazine.com
2. Hackers breach the forum of the webcomic XKCD
Attackers compromised the phpBB forum for the popular webcomic XKCD and took roughly 560,000 user records, including usernames, email addresses, hashed passwords and some registration IP addresses. Administrators pulled the forum offline and urged anyone who had reused their password to change it elsewhere.
3. A huge database of Facebook users' phone numbers found online
A security researcher discovered an unprotected server holding more than 419 million records that tied Facebook account IDs to users' phone numbers, including 133 million on people in the United States. Facebook said the data had been scraped before it removed the ability to look people up by phone number, but the exposure still left users open to spam and SIM swapping.
4. Google and YouTube to pay a record 170 million dollars over children's privacy
The Federal Trade Commission and the New York attorney general settled allegations that YouTube collected data from children under 13 without parental consent in breach of COPPA. The 170 million dollar penalty was by far the largest the FTC had ever obtained in a children's privacy case.
5. Joker spyware found in 24 Google Play apps
Researchers discovered 24 apps on the Google Play Store carrying the Joker malware, which had been downloaded about 472,000 times. The spyware stole text messages, contact lists and device details and quietly signed victims up to costly premium subscription services.
6. Data on 90,000 Mastercard loyalty members shared online
A database with sensitive information on around 90,000 German members of Mastercard's Priceless Specials loyalty programme was posted online and added to Have I Been Pwned. The leaked records included payment card numbers, names, dates of birth, addresses and phone numbers, prompting Mastercard to suspend the programme.
7. Critical Exim flaw lets attackers gain root on mail servers
The Exim development team patched CVE-2019-15846, an unauthenticated remote code execution flaw that gave attackers full root access to vulnerable mail servers. With more than five million internet-facing Exim servers identified, the bug put a large share of the world's email infrastructure at risk.
8. 198 million car-buyer records exposed online
A researcher found an unsecured Elasticsearch database belonging to the lead-generation firm Dealer Leads that held about 198 million records on prospective car buyers. The 413 gigabytes of data included names, email addresses, phone numbers, home addresses and vehicle details, all visible without any credentials.
9. Simjacker flaw used to track phones through SMS
Researchers at AdaptiveMobile Security disclosed Simjacker, a flaw in the S@T Browser on many SIM cards that let attackers extract a phone's location with a silent text message. They said a surveillance company had been exploiting it across more than 30 countries for at least two years, affecting up to a billion handsets.
10. Zynga breach exposes 218 million Words With Friends players
Zynga confirmed unauthorised access to player accounts after a hacker claimed to have taken the details of every Android and iOS user who had installed Words With Friends before 2 September. The stolen records covered roughly 218 million people and included names, email addresses, hashed passwords and phone numbers.
11. Court says individuals can force the FBI to purge First Amendment records
In Garris v. FBI, the Ninth Circuit ruled that the FBI must delete a 2004 memo documenting the political expression of two journalists and an antiwar website. The court held that the Privacy Act bars agencies from keeping records on First Amendment activity without a current law enforcement need.
12. California legislature passes a set of CCPA amendments
California lawmakers approved five bills amending the California Consumer Privacy Act before the session closed, covering employee data, the definition of personal information and a new data broker registration scheme. The changes shaped how the landmark law would work when it took effect in January 2020.
13. Data breach exposes almost every citizen of Ecuador
Researchers found an unsecured server holding around 20 million records on people in Ecuador, more than the country's entire population, including its president and Julian Assange. The exposed data spanned national identity numbers, taxpayer numbers, bank balances and family details, and authorities detained the manager of the firm responsible.
14. EFF warns of Big Tech's disingenuous push for a federal privacy law
The EFF argued that the industry-backed Internet Association campaign for federal privacy legislation aimed to set a weak national standard that would override stronger state laws. It urged that any federal law should build a floor rather than a ceiling and must not pre-empt rules like California's and Illinois's.
15. Lumin PDF leak exposes data on millions of users
After months of being ignored, a researcher published a database taken from the cloud editor Lumin PDF that exposed about 24 million user records. The data included full names, email addresses, Google access tokens and hashed passwords, stemming from a MongoDB instance left open since April.
16. Facebook suspends tens of thousands of apps after Cambridge Analytica review
Facebook said it had suspended tens of thousands of apps from about 400 developers as part of the investigation it began after the Cambridge Analytica scandal. The figure dwarfed the few hundred apps the company had previously acknowledged acting against, though it gave little detail on what they had done.
17. EU court limits the right to be forgotten to Europe
The Court of Justice of the European Union ruled that Google does not have to apply right to be forgotten delisting requests worldwide, only across its EU domains. The EFF welcomed the decision as a win for free expression, warning that a global order would let one country's rules govern what everyone else could read.
18. DoorDash confirms a breach affecting 4.9 million people
DoorDash disclosed that an intrusion dating back to May had exposed data on 4.9 million customers, delivery workers and merchants who joined before April 2018. The stolen information included names, email and delivery addresses, phone numbers, hashed passwords and the driving licence numbers of about 100,000 couriers.
19. Comodo forums hacked through an unpatched vBulletin flaw
Attackers exploited a recently disclosed vBulletin vulnerability to breach Comodo's forums, exposing the account details of nearly 245,000 registered users. Comodo had failed to apply the available patch in time, leaving usernames, email addresses and other forum data open to theft.
20. Vimeo sued over facial recognition in its Magisto app
A class action filed in Illinois accused Vimeo of scanning faces in photos and videos uploaded to its Magisto app to build biometric face templates without consent. The suit alleged this breached the state's Biometric Information Privacy Act, which sets damages of up to 5,000 dollars per violation.
Enjoyed this post?
Well, you could share the post with others, follow me with RSS Feeds and/or send me a comment via email.
Tags
Category:
Year: